The European Commission has admitted it has no evidence that Kaspersky Lab products are a national security risk to member states, despite the European Parliament voting last summer for a ban on the Russian AV company.
The revelations come in response to a question from right-wing European Parliament member (MEP), Gerolf Annemans.
It refers to the non-binding resolution, passed on June 13 2018, which branded Kaspersky Lab as ‘malicious’ and ‘dangerous.’
“Does the Commission know of any reason other than certain press articles that justifies the labelling of Kaspersky as ‘dangerous’ or ‘malicious,” especially since Member States such as Germany, France and Belgium do not perceive any problems with cooperation with the firm concerned?” he asked.
The Belgian MEP also asked whether the Commission is aware “of any reports or opinions of cyber-experts or consultancies about Kaspersky Lab, and can it give me references to them?”
In response, the Commission said it is “not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products,” and that “it did not commission any reports” into the issue to find out more.
“The Commission is following closely debates and developments concerning the security of IT products and devices in general, including discussions about potential measures related to access to the EU market,” it added.
“The EU is an open market, which can be accessed by foreign companies in compliance with EU rules. In addition, Member States have the competence to decide whether to exclude companies from their markets for national security reasons.”
That would seem to suggest that too much weight was given to US moves to ban the Moscow-based vendor at the time of the vote, despite it not being able to produce any proof to back up its claims of the firm being a national security risk. The UK also issued a warning in December 2017 for agencies not to use its products for processing information classified SECRET and above.
The European Parliament motion in question was framed in general terms about cyber-defense, yet only Kaspersky Lab was named, adding weight to the notion that it was unfairly singled out.
It’s unclear why it took so long to gain clarification from the Commission on this.